WLAN Security WPA EAP/TLS. Authentication Failed error

I am setting up WLAN to secure our wireless network. I plan to use 802.1x
EAP/TLS with certificates for the client machine and user. My issuing
certificate server is Windows 2003 Enterprise and I have the certificates set
to Autoenroll the machines in the correct AD group. WHen I check the
machines, they appear to have the correct certificates installed. The AP is
set for 802.1x and is pointed to the radius server. The radius server has
the AP as a client. However, when trying to connect to the AP, I get a
"Windows was unable to log you into the network" error after the initial
connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need some
help troubleshooting this issue. I've included some of the radius server log
below but I don't see any obvious problems.

Radius Server Log.
"RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections
to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15
31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all
users",1,,,,
"RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections
to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15
31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for all
users",1,,,,

I am really scratching my head on how to tell where the process is failing
so any help would be greatly appreciated.

Steve Halvorson
Preferred Credit, Inc

v-jpzhu
Fri Mar 07 04:48:18 CST 2008

Hello,

Thanks for your post.

It seems that there are some authentication or IAS access policy
configuration issues.

Firstly, I would like to know the following info:

1. How did you configure the Wireless Network? Are you referring to any of
the Microsoft article on securing wireless network? For your convenience, I
include some articles as following:
Providing Secure Wireless Services
<http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
IEEE 802.1X Authentication for Wireless Connections:
<http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
To define 802.1X authentication for wireless networks in Group Policy:
<http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
ndard/proddocs/en-us/define_8021x_inGP.asp>

2. Which authentication protocol the Remote Access Policies are using?
CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
Policy, click the Edit Profile button, go to Authentication tab, press
PrScrn key on the keyboard, paste it in MSPAINT application and email to me.

3. If there is and What's the error message it appears on the client
computer when the Wireless connection failed? Please press PrScrn key when
the error message occurs, paste it in MSPAINT applicaiton and email to me.

During IAS access, after the wireless client contacted the AP and sent the
logon credential to the AP, the AP, which is also known as IAS client will
contact the IAS for validation. If the shared secret between the IAS client
matches the one stored in IAS Server, IAS client will then forward the
logon info to the IAS Server for validation. The logon info contains a list
of requirements that must be met to allow access for the user. This list of
requirements can include verification of the password, and it can also
specify whether the user is allowed access.

Regarding this issue, we need to firstly check out if it is a problem about
the communication between IAS Client and the IAS Server or if the issue
occurs on Logon info validation.

So, please do the following and provide me with the log files for research:

1. IAS Logging:
============

Go to IAS Server, go to command prompt and type the following command
"netsh ras set tracing * enable" (without the quotation marks).
Repro the issue and then, compress and email me with the C:\winodws\debug
folder.

2. Networking Edition MPS_Report log:
=============================

Download the Network Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\network\bin\cab directory.

3. Directory Edition of MPS_Report log:
==============================

If the wireless cilent PC is in a domain environment, please download the
Directory Edition of MPS_Report tool from
<http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
%COMPUTERNAME%_MPSReports_.CAB file which is under the
%systemroot%\MPSReports\Setup\Lite\Cab directory.

4. Event log from client computer:
==========================

a. On the wireless client computer, click Start -> Run, type EVENTVWR and
click OK.
b. Right click Application event, select ?Save Log File As???, save it as
.evt file, email it to me.
c. Export the System event log and email to me too.

You can send the log files to me at v-jpzhu@microsoft.com <mailto:
v-jpzhu@microsoft.com>.

Thanks for your time and I look forward to hearing from you. : )

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

steveh
Fri Mar 07 16:14:00 CST 2008

Thanks I gather the info and email it to you.
--
Steve Halvorson
Preferred Credit, Inc


"Jian-Ping Zhu [MSFT]" wrote:

> Hello,
>
> Thanks for your post.
>
> It seems that there are some authentication or IAS access policy
> configuration issues.
>
> Firstly, I would like to know the following info:
>
> 1. How did you configure the Wireless Network? Are you referring to any of
> the Microsoft article on securing wireless network? For your convenience, I
> include some articles as following:
> Providing Secure Wireless Services
> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
> IEEE 802.1X Authentication for Wireless Connections:
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
> To define 802.1X authentication for wireless networks in Group Policy:
> <http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
> ndard/proddocs/en-us/define_8021x_inGP.asp>
>
> 2. Which authentication protocol the Remote Access Policies are using?
> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
> Policy, click the Edit Profile button, go to Authentication tab, press
> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.
>
> 3. If there is and What's the error message it appears on the client
> computer when the Wireless connection failed? Please press PrScrn key when
> the error message occurs, paste it in MSPAINT applicaiton and email to me.
>
> During IAS access, after the wireless client contacted the AP and sent the
> logon credential to the AP, the AP, which is also known as IAS client will
> contact the IAS for validation. If the shared secret between the IAS client
> matches the one stored in IAS Server, IAS client will then forward the
> logon info to the IAS Server for validation. The logon info contains a list
> of requirements that must be met to allow access for the user. This list of
> requirements can include verification of the password, and it can also
> specify whether the user is allowed access.
>
> Regarding this issue, we need to firstly check out if it is a problem about
> the communication between IAS Client and the IAS Server or if the issue
> occurs on Logon info validation.
>
> So, please do the following and provide me with the log files for research:
>
> 1. IAS Logging:
> ============
>
> Go to IAS Server, go to command prompt and type the following command
> "netsh ras set tracing * enable" (without the quotation marks).
> Repro the issue and then, compress and email me with the C:\winodws\debug
> folder.
>
> 2. Networking Edition MPS_Report log:
> =============================
>
> Download the Network Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\network\bin\cab directory.
>
> 3. Directory Edition of MPS_Report log:
> ==============================
>
> If the wireless cilent PC is in a domain environment, please download the
> Directory Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\Setup\Lite\Cab directory.
>
> 4. Event log from client computer:
> ==========================
>
> a. On the wireless client computer, click Start -> Run, type EVENTVWR and
> click OK.
> b. Right click Application event, select ?Save Log File As???, save it as
> .evt file, email it to me.
> c. Export the System event log and email to me too.
>
> You can send the log files to me at v-jpzhu@microsoft.com <mailto:
> v-jpzhu@microsoft.com>.
>
> Thanks for your time and I look forward to hearing from you. : )
>
> Sincerely,
> Neo Zhu,
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

steveh
Fri Mar 07 16:24:00 CST 2008

By the way - I used the Midsize Security Guidance - Secure Wireless Access
Point Configuration as a guide to setting up the network.
--
Steve Halvorson
Preferred Credit, Inc


"Jian-Ping Zhu [MSFT]" wrote:

> Hello,
>
> Thanks for your post.
>
> It seems that there are some authentication or IAS access policy
> configuration issues.
>
> Firstly, I would like to know the following info:
>
> 1. How did you configure the Wireless Network? Are you referring to any of
> the Microsoft article on securing wireless network? For your convenience, I
> include some articles as following:
> Providing Secure Wireless Services
> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
> IEEE 802.1X Authentication for Wireless Connections:
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
> To define 802.1X authentication for wireless networks in Group Policy:
> <http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
> ndard/proddocs/en-us/define_8021x_inGP.asp>
>
> 2. Which authentication protocol the Remote Access Policies are using?
> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
> Policy, click the Edit Profile button, go to Authentication tab, press
> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.
>
> 3. If there is and What's the error message it appears on the client
> computer when the Wireless connection failed? Please press PrScrn key when
> the error message occurs, paste it in MSPAINT applicaiton and email to me.
>
> During IAS access, after the wireless client contacted the AP and sent the
> logon credential to the AP, the AP, which is also known as IAS client will
> contact the IAS for validation. If the shared secret between the IAS client
> matches the one stored in IAS Server, IAS client will then forward the
> logon info to the IAS Server for validation. The logon info contains a list
> of requirements that must be met to allow access for the user. This list of
> requirements can include verification of the password, and it can also
> specify whether the user is allowed access.
>
> Regarding this issue, we need to firstly check out if it is a problem about
> the communication between IAS Client and the IAS Server or if the issue
> occurs on Logon info validation.
>
> So, please do the following and provide me with the log files for research:
>
> 1. IAS Logging:
> ============
>
> Go to IAS Server, go to command prompt and type the following command
> "netsh ras set tracing * enable" (without the quotation marks).
> Repro the issue and then, compress and email me with the C:\winodws\debug
> folder.
>
> 2. Networking Edition MPS_Report log:
> =============================
>
> Download the Network Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\network\bin\cab directory.
>
> 3. Directory Edition of MPS_Report log:
> ==============================
>
> If the wireless cilent PC is in a domain environment, please download the
> Directory Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\Setup\Lite\Cab directory.
>
> 4. Event log from client computer:
> ==========================
>
> a. On the wireless client computer, click Start -> Run, type EVENTVWR and
> click OK.
> b. Right click Application event, select ?Save Log File As???, save it as
> .evt file, email it to me.
> c. Export the System event log and email to me too.
>
> You can send the log files to me at v-jpzhu@microsoft.com <mailto:
> v-jpzhu@microsoft.com>.
>
> Thanks for your time and I look forward to hearing from you. : )
>
> Sincerely,
> Neo Zhu,
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

S
Sat Mar 08 20:41:04 CST 2008

If you're using descriptive policy names, using Windows authentication for
all users is not the right thing to do if you're using certificate
authentication.

Can you copy/pasted a formatted System log entry from event viewer?

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Steve Halvorson" <steveh@news.postalias> wrote in message
news:C95D2B50-350E-4572-AF18-F2E9EF52A1C3@microsoft.com...
>I am setting up WLAN to secure our wireless network. I plan to use 802.1x
> EAP/TLS with certificates for the client machine and user. My issuing
> certificate server is Windows 2003 Enterprise and I have the certificates
> set
> to Autoenroll the machines in the correct AD group. WHen I check the
> machines, they appear to have the correct certificates installed. The AP
> is
> set for 802.1x and is pointed to the radius server. The radius server has
> the AP as a client. However, when trying to connect to the AP, I get a
> "Windows was unable to log you into the network" error after the initial
> connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need
> some
> help troubleshooting this issue. I've included some of the radius server
> log
> below but I don't see any obvious problems.
>
> Radius Server Log.
> "RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections
> to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15
> 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for
> all
> users",1,,,,
> "RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections
> to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15
> 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for
> all
> users",1,,,,
>
> I am really scratching my head on how to tell where the process is failing
> so any help would be greatly appreciated.
>
> Steve Halvorson
> Preferred Credit, Inc

v-jpzhu
Mon Mar 10 04:22:52 CDT 2008

Hello,

Thank you for your feedback.

I haven't received the mail from you up till now. I wonder whether you have
already sent me the mail or you will send it after you finish gathering the
logs and screenshot.

I have created a workspace for you to upload information files in case
that the log files are large. After you finish gathering all the
information I need, please zip all the files, name the zip package using
your name and upload to the following space:

<https://sftus.one.microsoft.com/ChooseTransfer.aspx?key=6dac5fc0-fc5b-4c03-
8ecd-493ff0e71577>

Password: < PayV567Qn#>

Please post a quick note in this thread so that I can check the workspace
timely.

Thank you for your assistance and I look forward to hearing from you soon.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

steveh
Wed Mar 12 14:39:00 CDT 2008

I was able to get authentication to the WLAN working and it appears to be
working securely with certificates. However, I am not sure that it is using
the "Wireless" IAS rules. I seem to be able to connect to the WLAN even
though the computer is not in the "Remote Access Policy Wireless Computers"
group, which is what the Wireless rule is setup as in IAS. I am thinking
that it is using the "Connections to other access server" rule instead. The
wireless rule is #1 and the connections to other rule is #4. How can I tell
for sure what rule it is using?
--
Steve Halvorson
Preferred Credit, Inc


"Jian-Ping Zhu [MSFT]" wrote:

> Hello,
>
> Thanks for your post.
>
> It seems that there are some authentication or IAS access policy
> configuration issues.
>
> Firstly, I would like to know the following info:
>
> 1. How did you configure the Wireless Network? Are you referring to any of
> the Microsoft article on securing wireless network? For your convenience, I
> include some articles as following:
> Providing Secure Wireless Services
> <http://www.microsoft.com/technet/itsolutions/smbiz/sitsol/DsgnNwrk_8.mspx>
> IEEE 802.1X Authentication for Wireless Connections:
> <http://www.microsoft.com/technet/community/columns/cableguy/cg0402.mspx>
> To define 802.1X authentication for wireless networks in Group Policy:
> <http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/
> proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/sta
> ndard/proddocs/en-us/define_8021x_inGP.asp>
>
> 2. Which authentication protocol the Remote Access Policies are using?
> CHAP, MSCHAP, MSCHAP V2, or EAP? Please open IAS, open the Remote Access
> Policy, click the Edit Profile button, go to Authentication tab, press
> PrScrn key on the keyboard, paste it in MSPAINT application and email to me.
>
> 3. If there is and What's the error message it appears on the client
> computer when the Wireless connection failed? Please press PrScrn key when
> the error message occurs, paste it in MSPAINT applicaiton and email to me.
>
> During IAS access, after the wireless client contacted the AP and sent the
> logon credential to the AP, the AP, which is also known as IAS client will
> contact the IAS for validation. If the shared secret between the IAS client
> matches the one stored in IAS Server, IAS client will then forward the
> logon info to the IAS Server for validation. The logon info contains a list
> of requirements that must be met to allow access for the user. This list of
> requirements can include verification of the password, and it can also
> specify whether the user is allowed access.
>
> Regarding this issue, we need to firstly check out if it is a problem about
> the communication between IAS Client and the IAS Server or if the issue
> occurs on Logon info validation.
>
> So, please do the following and provide me with the log files for research:
>
> 1. IAS Logging:
> ============
>
> Go to IAS Server, go to command prompt and type the following command
> "netsh ras set tracing * enable" (without the quotation marks).
> Repro the issue and then, compress and email me with the C:\winodws\debug
> folder.
>
> 2. Networking Edition MPS_Report log:
> =============================
>
> Download the Network Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_NETWORK.EXE>, run it on the IAS Server. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\network\bin\cab directory.
>
> 3. Directory Edition of MPS_Report log:
> ==============================
>
> If the wireless cilent PC is in a domain environment, please download the
> Directory Edition of MPS_Report tool from
> <http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd
> 915706/MPSRPT_DirSvc.EXE>, run it on one of your DC. Email me the
> %COMPUTERNAME%_MPSReports_.CAB file which is under the
> %systemroot%\MPSReports\Setup\Lite\Cab directory.
>
> 4. Event log from client computer:
> ==========================
>
> a. On the wireless client computer, click Start -> Run, type EVENTVWR and
> click OK.
> b. Right click Application event, select ?Save Log File As???, save it as
> .evt file, email it to me.
> c. Export the System event log and email to me too.
>
> You can send the log files to me at v-jpzhu@microsoft.com <mailto:
> v-jpzhu@microsoft.com>.
>
> Thanks for your time and I look forward to hearing from you. : )
>
> Sincerely,
> Neo Zhu,
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

v-jpzhu
Thu Mar 13 06:38:19 CDT 2008

Hello,

Thank you for your reply.

I think there is an easy way to check which rule is used for remote access.
Just deny remote access permission on all the other remote access polices
(including ' Connections to other access server' policy) and grant remote
access permission on the first rule which is named as 'wireless'.

You could do it in this way:
1. Right clicking the policy and click properties.
2. Select deny/grant remote access permission and press OK.

After that, try to establish the wireless connection again. If it still
works, this means the 'wireless' remote access policy is matched and the
authentication is successful.

You might also check Event log -> System log to check which remote access
police is applied.

Moreover, the following article tells you how IAS works which might be
helpful to you.

How IAS Technology Works
http://technet2.microsoft.com/windowsserver/en/library/8f5c89d5-fdaf-430c-9e
f4-318f8c15baf11033.mspx?mfr=true

I hope this helps.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

steveh
Thu Mar 13 12:15:00 CDT 2008

I guess I am not sure what you mean by a formatted copy of the system event
log, but here is the event that appears to apply...

User host/SJHAHPNC6400.mydomain.net was denied access.

Fully-Qualified-User-Name = mydomain.net/Windows Vista/SJHAHPNC6400

NAS-IP-Address = 0.0.0.0

NAS-Identifier = DWL-3140_WLS_SW

Called-Station-Identifier = 00-1c-f0-59-df-d1

Calling-Station-Identifier = 00-19-d2-ab-72-13

Client-Friendly-Name = AP_1

Client-IP-Address = 10.1.0.101

NAS-Port-Type = Wireless - IEEE 802.11

NAS-Port = 0

Proxy-Policy-Name = Use Windows authentication for all users

Authentication-Provider = Windows

Authentication-Server = <undetermined>

Policy-Name = Connections to other access servers

Authentication-Type = EAP

EAP-Type = <undetermined>

Reason-Code = 65

Reason = The connection attempt failed because remote access permission for
the user account was denied. To allow remote access, enable remote access
permission for the user account, or, if the user account specifies that
access is controlled through the matching remote access policy, enable remote
access permission for that remote access policy.

Note that the radius server is also being used to authenticate VPN traffic
through our ISA server.

Thanks
--
Steve Halvorson
Preferred Credit, Inc


"S. Pidgorny <MVP>" wrote:

> If you're using descriptive policy names, using Windows authentication for
> all users is not the right thing to do if you're using certificate
> authentication.
>
> Can you copy/pasted a formatted System log entry from event viewer?
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> * http://sl.mvps.org * http://msmvps.com/blogs/sp *
>
> "Steve Halvorson" <steveh@news.postalias> wrote in message
> news:C95D2B50-350E-4572-AF18-F2E9EF52A1C3@microsoft.com...
> >I am setting up WLAN to secure our wireless network. I plan to use 802.1x
> > EAP/TLS with certificates for the client machine and user. My issuing
> > certificate server is Windows 2003 Enterprise and I have the certificates
> > set
> > to Autoenroll the machines in the correct AD group. WHen I check the
> > machines, they appear to have the correct certificates installed. The AP
> > is
> > set for 802.1x and is pointed to the radius server. The radius server has
> > the AP as a client. However, when trying to connect to the AP, I get a
> > "Windows was unable to log you into the network" error after the initial
> > connection to the AP. Ipconfig shows an ip address of 0.0.0.0. I need
> > some
> > help troubleshooting this issue. I've included some of the radius server
> > log
> > below but I don't see any obvious problems.
> >
> > Radius Server Log.
> > "RAD1","IAS",03/04/2008,00:00:01,1,"me@mydomain.net","mydomain.net/InformationTechnology/me","00-1c-f0-59-df-d1","00-13-02-1e-98-44",,,"DWL-3140_WLS_SW","0.0.0.0",0,0,"10.1.0.101","AP_1",,,19,,,,5,"Connections
> > to other access servers",0,"311 1 10.1.0.28 02/29/2008 18:01:15
> > 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for
> > all
> > users",1,,,,
> > "RAD1","IAS",03/04/2008,00:00:01,3,,"mydomain.net/InformationTechnology/Me",,,,,,,,0,"10.1.0.101","AP_1",,,,,,,5,"Connections
> > to other access servers",66,"311 1 10.1.0.28 02/29/2008 18:01:15
> > 31478",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"Use Windows authentication for
> > all
> > users",1,,,,
> >
> > I am really scratching my head on how to tell where the process is failing
> > so any help would be greatly appreciated.
> >
> > Steve Halvorson
> > Preferred Credit, Inc
>
>
>

v-jpzhu
Tue Mar 18 23:49:49 CDT 2008

Dear Customer,

Regarding your last email , I am just check and follow-up on your status.

I'm wondering if the suggestion has helped or if you have any further
questions.

Please feel free to respond to the newsgroups if I can assist further.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
From: v-jpzhu@online.microsoft.com (Jian-Ping Zhu [MSFT])
Date: Thu, 13 Mar 2008 11:38:19 GMT
Subject: RE: WLAN Security WPA EAP/TLS. Authentication Failed error
Newsgroups: microsoft.public.security

Hello,

Thank you for your reply.

I think there is an easy way to check which rule is used for remote access.
Just deny remote access permission on all the other remote access polices
(including ' Connections to other access server' policy) and grant remote
access permission on the first rule which is named as 'wireless'.

You could do it in this way:
1. Right clicking the policy and click properties.
2. Select deny/grant remote access permission and press OK.

After that, try to establish the wireless connection again. If it still
works, this means the 'wireless' remote access policy is matched and the
authentication is successful.

You might also check Event log -> System log to check which remote access
police is applied.

Moreover, the following article tells you how IAS works which might be
helpful to you.

How IAS Technology Works
http://technet2.microsoft.com/windowsserver/en/library/8f5c89d5-fdaf-430c-9e
f4-318f8c15baf11033.mspx?mfr=true

I hope this helps.

Sincerely,
Neo Zhu,
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.